Unusually detailed report links Chinese military to hacks against US

Security firm Mandiant has published an unusually detailed report documenting China-sponsored hacking intrusions that have siphoned terabytes of sensitive data from 141 organizations over the past seven years.

The 74-page study is only the latest report to lay a battery of computer intrusions at the feet at hackers linked to China's government or military apparatus. But until now, many of those claims lacked crucial details, opening them up to skeptics who complained that the lack of specificity made it difficult or impossible to conclude Chinese actors were behind attacks targeting US governmental agencies, corporations, and human rights organizations. Given the anonymity that shrouds most network intrusions, critics have pointed out, the use of Chinese domain names, IP addresses, and localized language in computer espionage campaigns could almost as easily have been chosen by perpetrators from other countries who want to divert the attention of investigators.

The Mandiant report is largely a response to these critics. It identifies a 12-story white office tower on the outskirts of Shanghai as the nerve center for a hacking group long known to security researchers as the "Comment Crew." IP addresses that have been used for years in espionage hacks map to the immediate surroundings of the building. The tower also happens to be the headquarters for the People Liberation Army's Unit 61398, which was described in 2011 as the "premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence" by the Virginia-based nongovernmental organization known as the Project 2049 Institute. Many of the claims in the Mandiant report have been independently confirmed by US intelligence officials, according to an article published byThe New York Times.

Chinese government officials have criticized the Mandiant allegations as "unprofessional" and "irresponsible." They say China's infrastructure and computer systems are also routinely targeted in the same kinds of hacks. On Tuesday, Chinese military personnel reportedly detained a BBC television crew that filmed Unit 61398. The crew was eventually released, but their footage was confiscated.

Mandiant says it has documented 141 hacking intrusions led by Comment Crew since 2006. Given the IP addresses and clues gleaned from individual members with hacker handles including UglyGorilla and DOTA, the authors conclude that the campaign is almost surely sponsored by the Chinese government or military. The only other option, according to the report: "A secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398's known mission."

According to Mandiant, Comment Crew has for years vacuumed up the proprietary secrets of more than 100 targets, including technology blueprints, manufacturing processes, clinical trial results, pricing documents, and negotiation strategies. Of more concern, Comment Crew hackers have most recently tuned their focus to computer systems used to control dams, gasoline refineries, and other critical infrastructure. One recent target is the Chertoff Group, which is headed by the former secretary of the Department of Homeland Security, Michael Chertoff. Other targets include the National Geospatial-Intelligence Agency, the National Electrical Manufacturers Association, and the Canadian arm of Telvent. As Ars reported in September, hackers compromised the company, which provides software that allows oil and gas pipeline companies to remotely monitor and control sensitive equipment.

"This is terrifying because—forget about the country—if someone hired me and told me they wanted to have the offensive capability to take out as many critical systems as possible, I would be going after the vendors and do things like what happened to Telvent," Dale Peterson, who is CEO of industrial control security firm Digital Bond, told the NYT.

The article also recounts a recent attempt to compromise Digital Bond itself by purportedly sending a fraudulent e-mail from Peterson to a part-time employee. The message, which used perfect English to discuss a security weakness in industrial systems, was laced with malware that "would have given the attackers control over the employee's computer and potentially given them a front-row seat to confidential information about Digital Bond's clients, which include a major water project, a power plant, and a mining company."

The Mandiant report doesn't name the Comment Crew victims, but the NYT article recalls the 2009 hack of Coca-Cola company, which coincided with its failed attempts to acquire the China Huiyuan Juice Group for $2.4 billion.

"As Coca-Cola executives were negotiating what would have been the largest foreign purchase of a Chinese company, Comment Crew was busy rummaging through their computers in an apparent effort to learn more about Coca-Cola's negotiation strategy," reporters David Sanger, David Barboza and Nicole Perlroth wrote.

The hack began with a "spear phishing" e-mail addressed to a Coca-Cola executive that included a link to a booby-trapped website. With the executive's computer infected, the attackers were able to move from machine to machine inside the company's network. The hackers then sent "confidential company files through a maze of computers back to Shanghai, on a weekly basis, unnoticed," according to the NYT.

Mandiant's report is consistent with the findings of other security firms. After Dell SecureWorks researcher Joe Stewart reverse-engineered malware used to penetrate EMC's RSA division, he discovered that most of the data that was stolen in the attack was transferred to the same range of IP addresses that Mandiant has now identified.

China is by no means alone in being fingered as a sponsor of well-funded hacks on computers in foreign countries. An array of sophisticated malware with names including Stuxnet, Flame, and Duqu have been unleashed on networks in Iran and other Middle East countries, reportedly after the programs were supported and executed by the US and Israeli military officials. US officials have long insisted they operate under strict rules that bar the use of offensive weapons for nonmilitary purposes or for stealing corporate data.

96 Reader Comments

I think we all have correctly assumed that the Chinese govt has been sponsoring an elite hacking squad. I'm just surprised that this Mandiant firm was able to glean so much information about them. Well done.

When I read about this elsewhere earlier today, it really worried me. I mean, getting into Coca-Cola's network and getting information about them is one thing (sucks for them with the money they lose, but it isn't the end of the world), but gathering information about our infrastructure is another. I sure hope that the people in charge of systems such as power grids have contingencies in place to get power going if someone suddenly attacks and knocks things offline.

I'm sure it would lead to a never-ending game of IP address whack-a-mole, but if they know the IP addresses that "map to the areas around the building" why don't we just block those IP addresses at the Tier 1 level?

I'm not an expert in computer security, but why don't corporations use firewalls to block outbound and inbound traffic to Chinese IPs?

Easily defeated by a VPN tunnel or compromised server not associated with China. Which begs the question anyway, why didn't they bother to hide the IP address for those comments - the comments that exposed them - behind a VPN tunnel in another country?

Count me as someone that is waiting to see what the Chinese response to this article will be. Are they going to slow down now that they have been accused of hacking? Or will they become more aggressive since their 'secret' is out?

I would also like to know how the US government plans to counter these repeated violations. Do they believe it is better to act like nothing happened or risk a major cyber war with one of our most important trading partners?

I'm not an expert in computer security, but why don't corporations use firewalls to block outbound and inbound traffic to Chinese IPs?

Easily defeated by a VPN tunnel or compromised server not associated with China. Which begs the question anyway, why didn't they bother to hide the IP address for those comments - the comments that exposed them - behind a VPN tunnel in another country?

Ya that's what I mean. It wouldn't be much more difficult, but every little bit helps. Make the hackers work a little harder.

I'm not an expert in computer security, but why don't corporations use firewalls to block outbound and inbound traffic to Chinese IPs?

Only if it could be that simple. In the NYT attack, Comment Crew gained access to NYT computers by switching their IPs and rerouting their traffic through IPs of American Universities , which they hacked as well.

Ya that's what I mean. It wouldn't be much more difficult, but every little bit helps. Make the hackers work a little harder.

When you have java day-0s available to transmit your payload, you have a lot of options for getting at your target. "Doesn't connect to Chinese IPs? Good thing I have a hacked server sitting in Europe somewhere..."

The newspaper hired the firm to investigate the hacks (The Wall Street Journal and Washington Post also reported being the victims of similar hacks) but found that Comment Crew was not responsible for the sophisticated hack.

So....the boogeyman that Mandiant has been following for 6 years and the source of nearly all hacking by a sophisticated hacking government controlled group, is responsible? Er maybe not? Or maybe Mandiant is making stuff up?

Nearly all is not the same thing as all.

Mydrrin wrote:

And being so sophisticated and controlled part of the internet, they don't know how to mask their signal? Really hard to believe don't you think?

Why should they mask themselves when they can make exactly the same argument that you just made?

Well first we had the Face of Ugly Terrorism rise and we got the Patriot Act.We lost a lot of Rights and still lose Rights from that one alone.

Now, this stuff will fuel the fire in Washington for Patriot Act 2.My thoughts are this could lead to us losing even more rights.We will now see many Tech Clueless and Computer Illiterate Politicians Propose Badly Written Broad Bills that will Restrict our Freedom even more.

What's likely to happen now though? A diplomatic slap on the wrist? Some political remarks? Or some cyber warfare retribution we won't hear about?

Nothing ... for now. Think about it. The world's economies are held in the hands of just 2 countries. You can call it the financial equivalent of Mutual Self-Destruction. They keep us liquid, we give them access to a lucrative market. The real hurt will be the citizens of the republic when those that stand to gain the most from a Patriot Act 2.0 (or 3.0 depending on who you talk to) enact such policies.

What's likely to happen now though? A diplomatic slap on the wrist? Some political remarks? Or some cyber warfare retribution we won't hear about?

Good question. Recently the White House said cyber attacks were an act of war. Whether they had to be against military infrastructure or just the USA in general I am unsure of. Will be interesting to see our governments response to this report.

I'm not an expert in computer security, but why don't corporations use firewalls to block outbound and inbound traffic to Chinese IPs?

Because they don't connect to the victim directly from their house, and because it turns out that China has more internet users than any other country on earth, and pre-emptively cutting off that entire audience (especially if you have offices/stores there) is a Bad Thing.

As for those surprised that they could be doxed to such an extent: it's because it does not matter that much. They have to be polite, but our economies are so intertwined that they can get away with just about anything with only minor repercussions as long as it doesn't actually get people hurt or killed.

Kevin Mandia wrote the book (literally, its on my shelf) on incident handling. They know their business.

Which is why this is disturbing. The security community is choking right now, not that it doubts the general guilt of China nor the accusations in general. Rather the problem is that Mandiant appears to be making some jumps in reasoning. There seems to be a rush to judgement because every bogeyman is a Chinese bogeyman.

The more this kind of cyber warfare goes on, the more I feel like the world of Ghost in the Shell is coming true. Equally fascinating and terrifying.

"And where does the newborn go from here? The net is vast and infinite."

And right now, that newborn is a teen, rebelling against the very hands that tried to raise it in their image. Ultimately, however, will society allow the net to be whatever it wants to be or conform it to the specifics of special interest or a small authoritarian group (and I mean anyone who wishes to control the net in that context)